__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN UNIX PDF readers/viewers Malicious Hyperlinks Vulnerability June 19, 2003 18:00 GMT Number N-107 [Revised 07 July 03] [Revised 17 July 03] ______________________________________________________________________________ PROBLEM: A vulnerability in various UNIX PDF readers/viewers has been found where remote attackers could embed malicious external-type hyperlinks in PDF files allowing access to a victim's system. This applies only to PDF readers on UNIX/Linux systems. Readers on Windows and Macintosh systems are not vulnerable. PLATFORM: - Red Hat Linux versions: 9.0, 8.0, 7.3, 7.2, and 7.1 - Sun Linux v5.0 (See Sun's Alert Notification) - Sun Solaris (no patch information yet) - HP/UX (no patch information yet) - AIX (no patch information yet) DAMAGE: If a victim clicks on a malicious hyperlink, an attacker could execute arbitrary shell commands with the victim's privileges. SOLUTIONS: - Apply vendor patches when available. - Upgrade to Adobe Reader v5.07 or XPDF 2.02 pl1 (open-source version). - Monitor CERT's Vulnerability Note VU#200132 for updated vendor information. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. This vulnerability is possible because some ASSESSMENT: UNIX/Linux PDF readers/viewers spawn external programs to handle hyperlinks by invoking the shell command interpreter. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-107.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2003-196.html ADDITIONAL CERT: INFORMATION: http://www.kb.cert.org/vuls/id/200132 Adobe Reader: http://www.adobe.com/products/acrobat/readstep2.html XPDF: http://www.foolabs.com/xpdf/about.html SUN: http://www.sunsolve.sun.com/pub-cgi/ retrieve.pl?doc=fsalert%2F55601&zone_32=category%3Asecurity ______________________________________________________________________________ Revision History: 7/7/03 - Added Sun's Alert link. 7/17/03 - Updated Red Hat Advisory for release of 2nd round of updated packages. [****** Start of Red Hat, Inc. RHSA-2003:196-13 ******] Updated Xpdf packages fix security vulnerability Advisory: RHSA-2003:196-13 Last updated on: 2003-07-17 Affected Products: Red Hat Linux 7.1 Red Hat Linux 7.2 Red Hat Linux 7.3 Red Hat Linux 8.0 Red Hat Linux 9 CVEs (cve.mitre.org): CAN-2003-0434 Details: Updated Xpdf packages are available that fix a vulnerability where a malicious PDF document could run arbitrary code. [Updated 16 July 2003] Updated packages are now available, as the original errata packages did not fix all possible ways of exploiting this vulnerability. Xpdf is an X Window System based viewer for Portable Document Format (PDF) files. Martyn Gilmore discovered a flaw in various PDF viewers and readers. An attacker can embed malicious external-type hyperlinks that, if activated or followed by a victim, can execute arbitrary shell commands. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0434 to this issue. All users of Xpdf are advised to upgrade to these errata packages, which contain a backported security patch that corrects this issue. Updated packages: Red Hat Linux 7.1 -------------------------------------------------------------------------------- SRPMS: xpdf-0.92-4.71.2.src.rpm [ via FTP ] [ via HTTP ] dfdc27db65d2706554a3a35a1e4c7e0a i386: xpdf-0.92-4.71.2.i386.rpm [ via FTP ] [ via HTTP ] 56083c770c865432ee611c64cffa42f6 Red Hat Linux 7.2 -------------------------------------------------------------------------------- SRPMS: xpdf-0.92-10.src.rpm [ via FTP ] [ via HTTP ] 936f5aad703113ac64b3ebd608c21f48 i386: xpdf-0.92-10.i386.rpm [ via FTP ] [ via HTTP ] 3b37ceb7ac361a02b60dddf011a5f58d ia64: xpdf-0.92-10.ia64.rpm [ via FTP ] [ via HTTP ] ef4ed48238c8d9bfb7125311aea1d000 Red Hat Linux 7.3 -------------------------------------------------------------------------------- SRPMS: xpdf-1.00-7.src.rpm [ via FTP ] [ via HTTP ] bbbca3b1e966cfbfbf4d05934f289a11 i386: xpdf-1.00-7.i386.rpm [ via FTP ] [ via HTTP ] 5120b76b6af8c48a3311f3d69a3cdaa0 xpdf-chinese-simplified-1.00-7.i386.rpm [ via FTP ] [ via HTTP ] ddd9c3f4413e16dac99787715d735c44 xpdf-chinese-traditional-1.00-7.i386.rpm [ via FTP ] [ via HTTP ] 466a0f0dd7b872ae52458bd395e79d7a xpdf-japanese-1.00-7.i386.rpm [ via FTP ] [ via HTTP ] 37390017f6ace8b30b0f5eec13dc31a6 xpdf-korean-1.00-7.i386.rpm [ via FTP ] [ via HTTP ] 58806d04ec73add2c288b522f792dada Red Hat Linux 8.0 -------------------------------------------------------------------------------- SRPMS: xpdf-1.01-12.src.rpm [ via FTP ] [ via HTTP ] d067a494ef6880548e68921d6d8f93a2 i386: xpdf-1.01-12.i386.rpm [ via FTP ] [ via HTTP ] ee5f74ddc384aa52d3d87aa215f4adf2 xpdf-chinese-simplified-1.01-12.i386.rpm [ via FTP ] [ via HTTP ] bd0f09fcdb6530d5ea00f0e5812094b3 xpdf-chinese-traditional-1.01-12.i386.rpm [ via FTP ] [ via HTTP ] 1d1fd8d47f01c2288d0e265d1b3f8307 xpdf-japanese-1.01-12.i386.rpm [ via FTP ] [ via HTTP ] 5eb08e7781c8a6f347f1f0b9c6c777c7 xpdf-korean-1.01-12.i386.rpm [ via FTP ] [ via HTTP ] 3afffdb1cfb92d5755cb804bfae1a3c4 Red Hat Linux 9 -------------------------------------------------------------------------------- SRPMS: xpdf-2.01-11.src.rpm [ via FTP ] [ via HTTP ] afb14526ec5cdfe9b0ffb95dc2c63709 i386: xpdf-2.01-11.i386.rpm [ via FTP ] [ via HTTP ] 142e668bb198b78e25db0202e5b04e04 xpdf-chinese-simplified-2.01-11.i386.rpm [ via FTP ] [ via HTTP ] ef59838e701dc44fcaf6606a4b478377 xpdf-chinese-traditional-2.01-11.i386.rpm [ via FTP ] [ via HTTP ] d96168e7862b86e7a81a36afabdfb25d xpdf-japanese-2.01-11.i386.rpm [ via FTP ] [ via HTTP ] a805a60fddeb36df6d0ccf79e22199a7 xpdf-korean-2.01-11.i386.rpm [ via FTP ] [ via HTTP ] 98208ce3a9324b4a9cc9274d807b26e0 Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. Bugs fixed: (see bugzilla for more information) 79680 - xpdf packaging issues References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0434 http://lists.netsys.com/pipermail/full-disclosure/2003-June/010397.html -------------------------------------------------------------------------------- The listed packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/solutions/security/news/publickey/#key You can verify each package and see who signed it with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum filename The Red Hat security contact is security@redhat.com. More contact details at http://www.redhat.com/solutions/security/news/contact.html Copyright © 2002 Red Hat, Inc. All rights reserved. [****** End of Red Hat, Inc. RHSA-2003:196-13 ******] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat, Inc. and CERT for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) N-097: Red Hat Updated Tcpdump Packages N-098: Microsoft Cumulative Patch for Internet Information Service (IIS) N-099: Apache 2.0.46 Release Fixes Security Vulnerabilities N-100: Microsoft Windows Media Services ISAPI Extenstion Flaw N-101: Microsoft Cumulative Patch for Internet Explorer (IE) N-102: Hewlett-Packard Potential Security Vulnerabilities in CDE N-103: Sun ONE Application Server May Disclose JavaServer Pages (JSP) Source N-104: Red Hat Updated KDE packages N-105: Sun "/usr/lib/utmp_update" Command Buffer Overflow Vulnerability N-106: SGI Websetup/Webmin Security Vulnerability